1. Field of the Invention
The present invention relates to the field of multi-tier application management and more particularly to persistent application resource access control in a multi-tier application.
2. Description of the Related Art
A multi-tier application is an application structurally distributed across a computer communications network. In a multi-tier application, the interface, data storage, and the logical functionality of the application can be spread across one or more computing units and each can be configured to interact with one another in concert to produce the effect of a unitary application. Different layers of a multi-tier application can communicate with one another, receiving input for processing and producing output to be provided to a different layer of the application.
Functional layers of a multi-tier application include a persistence layer in which application data is stored in a sensible, organized way, an accessor layer in which database access logic can be implemented to interact with the persistence layer, a logic layer processing user input and stored data to produce a useful result, and a presentation layer configured to present the useful result to an interacting end user. Additionally, a requestor/consumer layer can be provided through which an end user can interact with the application. Typically, a Web browser or heavy client acts as the requestor/consumer layer. Of note, security considerations must be applied at all layers of a multi-tier application.
Security considerations implicate not only data access, but also data processing and data transmission. Within a multi-tier application, data can be accessed through application components in the logic layer as well as through the database management system in the persistence layer. Therefore, in order to provide comprehensive security in a multi-tier application both the logic layer and persistence layer must be accounted for. When providing comprehensive security for a multi-tier application, fine grained access control must be supported. Fine grained access control refers to role based access to data and data processing facilities.
In this regard, in a multi-tier architecture, persistent application resources such as the enterprise Java™ bean (EJB) (Java is a trademark of Sun Microsystems, Inc. of Santa Clara, Calif.), reside in the logic layer and provide persistent access to data in the persistence layer. Method permissions for persistent application resources support permission based access to the data processing facilities of persistent application resources. However, fine grained access control is supported by method permissions only in so far as a type and EJB method is specified. Fine grained access control on an instance-by-instance basis of an persistent application resource, however, is not supported.
Instance based access control is known to support fine grained access control in a single tier application. In instance based access control, different instances of a persistent application resource e.g. a J2EE entity bean associated with the roles of different accessors support different levels of security. Hence, instance based access control implements fine grained access control. Yet it is often necessary to specify access control policies differently for each instance of a persistent application resource. Examples include the differentiated computation and presentation of interest rates for different types of bank customers encapsulated in different instances of a persistent application resource with one interest rate quoted to one bank customer not being visible by another bank customer.
At present, instance based access control for persistent application resources can be achieved by encoding customized logic within each persistent application resource method. The customized logic can include program code enabled to compare the identity of an accessor to an attribute of the current persistent application resource instance before executing the business logic. Such a solution, however, can be difficult to configure in so far as code changes to the persistent application resource are required to support instance based access control. Code changes, as the skilled artisan will recognize, defeat the extensibility of a multi-tier application.